Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "South Carolina's Oconee Nuclear Station will replace its analog monitoring and operating controls with digital systems, as part of a $2 billion plant upgrade by its owner, Duke Energy. It will become the first nuke plant in the US to use digital controls, and its upgrade may be quickly followed by others. The main driver for the move is cost savings; worries about reliability and hackers have been the reason digital systems haven't been adopted sooner."

Great use of sarcasm there, building on XP having had also over a decade of most obnoxious and prolific malware, ranging from mail worms through trojans all the way to self-replicating root-kits not to mention most numerous and spectacular security holes in the entire software industry.

And more to the point, it is also the only publicly known system to have been successfully compromised specifically to sabotage nuclear facilities....

Windows XP was a stable, hugely popular operating system that has had over a decade of bug and security patches. Give me XP over the latest xnix flavor any day.

The thing is, there is essentially only one flavor of windows, despite the differently packaged and priced versions. And it is essentially an OS for end-users that privileges usability over security. They only step back from obviously bad security practices after it has become a widely exploited and publicized problem. (C: shared by default over SMB? Auto-run? The holes that windows 7 put to make Vista's annoying UAC policy less annoying?).

This has nothing whatsoever to do with bashing Windows (although XP is a particularly funny idea in the context of nuclear facilities) but with the fact that no consumer-grade desktop OS is suitable for truly mission-critical applications. That also includes OS X as well as many popular Linux flavours.

That is because such systems are impossible to security audit, due to their sprawling complexity, which is a show-stopper in such environments (at least when total idiots are not in charge).

Anywhere where there is a demand for a high grade of reliability and rock-solid security, vastly trimmed-down subsets of an OS and GUI rendering systems that can be formally audited are used. Which usually means either BSD/Linux or some other commercial flavour of *nix like QNX, because such systems are written in a way that makes them easier to analyse at this level.

So you can leave your mindless "our team good! their team bad!" fanboi nonsense at the door.

South Carolina's Oconee Nuclear Station will replace its analog monitoring and operating controls with digital systems
Chinese Military Admits Existence of Cyberwarfare Unit
Wait..

No need to wait, they are already there [businessweek.com] since a long time ago. Save what you can... in this case, some costs. After all, a blender is $30 at Walmart and this is great for the nation (hint: second phrase of TFA).

And why would a employee workstation that is insecurely configured (allowing external USB keys should be a huge no no) and that is exposed to external sources have any reason whatsoever to be connected to the digital mission critical systems running the plant?

It doesn't have to be. See stuxnet. Ihe Iranian network that was infected was completely isolated from the internet. Once the employee machines are quietly infect it sits and waits for more media to be inserted and it infects those then the media is carried by human to the "secure" network and.......

Not really, it's been shown again and again that if you just drop off enough infected usb keys at an employee parking lot, during a morning or during lunch, that those employees will pick them up and naturally look up what's on those usb keys as soon as they get back in their office.

Hmmm I dunno, Off the top of my head I think one could just seed and employee parking lot with a few "FREE" USB flash drives. Whats the chance of an employee finding a USB flash drive in the parking lot and plugging it into an office computer when they sit down at their desk? 50%?

I looked up how Stuxnet works because it was relevant to my work and company (we use a lot of S7 PLCs on our production network).

The original was now much more than a glorified backdoor. It would install itself but did not contain any directly malicious payload. It would try to connect back to attacker, then the attacker could send and execute any payload they wanted.

It is likely the first payloads where used to identify priorities the attacked system (downloading source code etc). Then a malicious attack payload was specifically created to do the most harm and sent.

It was a glorified backdoor because it could propagate by itself and had the components to detect and connect to, upload and hide code to PLCs.

If it was installed by USB on a PC that was not connected to the internet then it would not have caused any direct harm since it wouldn't have been able to connect to the attacker.

Anyway, of course you can design a variant of Stuxnet that can try to damage any PLC without prior knowledge (contain a malicious payload), but i doubt it would be very effective. Without knowing what a PLC does / is supposed to do, the damage by simply changing values would likely be minimal and be immediately recognized.

It's perfectly safe to connect a USB key full of malicious software to a computer - as long as you do not run any software from that key! And you can only have software running from the USB key if 1) the OS allows this to begin with, and 2) the user (or OS - autostart or so) runs the software.

It is only reasonable to assume that a properly secured OS does not allow autorun functionality, and maybe even does not allow software to be run directl

and if it's not connected to a network it becomes a very labour intensive task to push out updates to the systems to prevent against the viruses.

Even if there is a whole internal network, that isn't connected to the internet all the modern computer security holes remain, and you either have to keep them all standalone - and update them all manually, or network them internally, update them all internally (as in, download updates by hand, transfer them to the appropriate internal network), you still need to

I think the real question is, why should nuclear power plant monitoring and control systems require a full-on desktop/server OS to run? Shouldn't they run things a little closer to the metal than that to reduce the number of pathways where things can go wrong, anyway?

The Siemens PLCs are managed by.... wait for it... WIndows software written by Siemens. IIRC months after the publication of Stuxnet and the Iranian infected PLSc from Siemens they still did not fix the vulnerabilities in their PLCs. The vendors that design the products have security as an afterthought. The power company is not smart enough to design such things as PLCs and control software etc. So they rely on commercial vendors such as Siemens and Microsoft. You know the rest.

Like in the old days when you had a cash register. All it did was be a cash register day in and day out without any problems. Currently most cash registers are cheap computers running complicated operating systems. The number of failure points is staggering.

You want digital controls? That's fine. Design some hardware to manage those controls and then STOP. You won't have to worry about drive failures, locking down USB ports, operating system updates, people doing things they shouldn't....

and if it's not connected to a network it becomes a very labour intensive task to push out updates to the systems to prevent against the viruses.

Maybe it is with windows with all that Microsoft Genuine advantage bullshit, but pushing out updates to Linux and OS X systems that are not connected to the Internet is pretty easy, i should know, i admined a huge network of them. Linux is probably the easiest. I just created a kickstart with the absolute minimum # of packages, used that as my base, and then put a copy of that system on the Internet to automatically download updates. All I have to do is periodically airgap the files(DVD works fine) over to the update server I set up on the LAN. All the machines just connect to that server and download their updates. Pretty damn simple. And if you are really hardcore, you can configure your machines to only download signed packages from trusted vendors(this is the default in RHEL for example). I spend maybe 15 minutes a week airgapping the things over... Now if you use that festering pile of insecure shit called Windows then you may have a point.

and if it's not connected to a network it becomes a very labour intensive task to push out updates to the systems to prevent against the viruses.

But don't most viruses and worms come from the internet and from removable storage devices?

If you took a computer and:1.installed an OS that allows file permissions,2.made the system drive read only for regular users (except the files that they have to change, for example, the profile directory and whatever files the software they use changes),3.disconnected floppy and DVD drives,4.disabled all unused ports,5.made the users sign an agreement not to connect any storage devices without obtaining permission,

...hackers have been the reason digital systems haven't been adopted sooner.

Here's an idea, let's not connect it to the Internet.

Like the Iranian uranium enriching centrifuges were connected to the Internet?

Or... what? Are they going to relocate microcontroller plants in US... or, for the reasons of costs, will be just produced in... a nation which has a 30-strong Blue Army commando [slashdot.org] (strictly for defense, of course. It's not likely they'll ever plant backdoors in hardware, isn't it?)? Something in TFA hints the second. Let me see if I can find it... here, just at the beginning:

In a nation where a digital blender can be bought for about $30 at Walmart,

I wonder where that $30 blender was made? In Toyota pla [usatoday.com]

Isolate the system, for Christ's sake. There's no reason that a system like this should have any connection to the Internet, any external access at all (except maybe read access for monitoring at home by the chief engineers or something), or -- and this is the part that people don't seem to get -- no freaking 802.11 access.

I find it amazing that, working in the medical field, every hospital I walk into is at least partially dependent on wireless networks. (Hint: Send desync commands continually with an iPod -- network down.) But not only that, but they go through all these hijinks to make life suck for legitimate users, and miss obvious things like direct network access through Ethernet ports. I walked into a room a few weeks ago, and a kid had plugged his laptop into the hospital Ethernet and it was (I later verified) BEHIND the firewall. Another hospital used WEP encryption for its "official" network, and my laptop broke it in about ten minutes in a call room.

You have all sorts of people working in administrative roles in these institutions that think security is defined as:1. Disable the Windows "run" command to piss me off.2. Don't allow me to click on the clock to see a calendar.3. Block web sites randomly for "security" reasons. (Hint: I'm a doctor. If I'm going to a web site I either have some legitimate reason to, or I'm goofing off because I have some critical patient that I'm stuck in the hospital with.)4. Throw up wireless networks with some idiotic click through screen before it will route anything, thus breaking every automated device on the market.

Probably any of us on Slashdot could do a better job than some of these idiots.

I can't comment on Points #1, #2, or #4, but I worked in a hospital network for several years and I can tell you that sites were blocked for very good reasons. Like the time we found out 40% of our internet bandwidth was being sucked up by internet radio, ESPN.com, Youtube, and Weatherbug (a few packets every few min is one thing, a few packets every few minutes from 10,000 computers going out the firewall at once for no good reason is something else).
As for doctors needing stuff for legitimate reasons? Let me tell you about the Department head that got his team exempted from the internet filters because his team was too important to be second-guessed. We had to get a network tech to go down & muck out all the donkey porn popups every three days. This continued until the female network tech decided that she was sick of knowing what these elite doctors did with their hospital-provided computers & threatened to sue for a Hostile Work environment unless we either A) Re-Blocked the doctors or B) Stopped making the network techs clean up the computer (effectively making it unusable).

Hell they shouldn't have any access at all. They should be in a ventilated, locked box, with no USB ports, no ethernet or wifi ports, and etc, etc, etc. But you know what? Sometime I give up. Stupidity really does win at the end of the day.

I guess I was an idiot to assume things had already been digital for some time now...

So what are they using right now then, a few vacuum tubes and clocksprings? Or do they have those newfangled "crystal" rectifiers and point contact transistors. (yeah, I know cave-tech and digital aren't mutually exclusive, give me a break;) ).

Just because there is no computer running the show, doesn't mean it isn't digital. I'm sure there must be some digital bits involved, no? Or is it just big fucking analog panel meter

I found a pretty neat site [englishrussia.com] that has a lot of cool pictures of what appears to be a modern Russian plant.

In this picture [englishrussia.com] we see the control panel and yeah, it looks like it is big fucking analog panel meters and red buttons. But there's a display [englishrussia.com] that is obviously some sort of digital status..not sure if it's electrical or some valve array thing, but as OP said there is already apparently some digital already.

While the whole HMI system is computerized there is also a "Critical Action Panel" that contains hardwired safety functions.For example, you can trigger an "Abandon Platform Shutdown" from a single push button should the need arise. This button is independent from the computerized control system.

For something as important as a nuclear plant I would sure hope they have hardwired redundancy for the important functions.

I was and electrician in the Naval Nuclear Power Program from 94-00 and they used hardly any digital anything. Motor controllers were made up of relays. Voltage regulators worked on saturated cores and such. Even the control rods were moved using AC or DC motors, depending on the plant. It seems hard to believe, but nuclear power is a technology from the 50s. The USS Nautilus, the first nuclear powered submarine, was launched in 1954, which I find amazing that 57 years ago they had nuclear power plants that could operate a ship while underwater, and that ship wasn't decommissioned until 1980. Yes, for alarms there are mostly just various things that trip relays such as thermocouples, pressure switches, salinity cells, etc. If you understand how the plant works, it's easy to see how it doesn't require anything digital to run. However, you could definitely save some serious cash in manpower by automating things.

Oconee was the first of three nuclear stations built by Duke Energy. According to Duke Energy's web site, the station has generated more than 500 million megawatt-hours of electricity, and is "the first nuclear station in the United States to achieve this milestone."[2]

(Wikipedia)

First unit came online in 1973, so they probably started building in 1968, using plans that were finalized by very conservative senior engineers in 1963 at the latest. These guys at this time would have regarded PLC's as bleeding

Just because the rest of us use digital controllers, doesn't mean that everyone does. Process control suppliers such as Foxboro spent decades building analog loop controllers. Yes, they are used in big panels full of big analog gauges with actual knobs to set the setpoints and gains etc. I had the joy of working in a cement factory in 1982. It had a control room packed with analog Foxboro stuff. There was also a PDP-8 computer, but it didn't do anything to run the plant; it was used to compute batch ingredi

The goal of going digital is to save money. Most systems in a nuclear power plant are monitors with four sensors. If two of them have out-of-whack readings, engineers often have to "trip" the plant, or shut it down, until the problem is resolved....Unlike a human engineer, who can only take in one measurement at a time from one instrument, the digital system takes in thousands of readings at any moment. The computer can instantly figure out if a sensor is broken and ignore it.

So, I guess the system there is that every sensor is connected to a gauge and/or an alarm relay. There are four sensors for each parameter that is monitored, so if one of them goes bad you can know that it's the sensor (since the other three provide normal values). Because a nuclear power plant uses a lot of sensors, they go bad all the time and if two sensors for the same parameter go bad, the plant has to be shut down (since it could also mean that the parameter is abnormal and the other two sens

Duke energy is the one that is working CLOSELY with China (they are more chinese than is GE). My guess is that these controls will come from them. As such, it will be VERY prone to control by them at the worst possible time.

I googled around and all I found was some stories about Duke partnering in "clean energy technologies" with a dominant (and probably partly state-owned) Chinese electricity provider. So what is the nature of this relationship with China?

As digital a geek as I am, I actually downgraded my pool. The garbage "computers" [inyopools.com] I''ve had foisted upon me by pool guys are absolute crap. So I pulled all the expensive valve actuators [inyopools.com] and run it by turning valves, and backwashing manually.

I love tech and all the things I do and can do with it. But sometimes, simpler and analog works.

is much less of a danger in this case I think. You couldn't convince a dedicated, highly paid engineer to endanger a digital system any more easily than you could convince him to endanger a system based on analog controls. These aren't bored medium waged desk workers, they are among the world's best educated and most aware of the systems they control. I think it wouldn't take a huge amount of effort to train them on how to keep the systems isolated.

... the german Government just decided yesterday to finally abandon and decommission all nuclear power by 2021. That's in 10 years. We'll be having a little extended backup reserve of 3 nuclear power plants, but their countdown has begun already.

With regular nuclear power, we are now talking about a technology that Germans considers unmanageable, safety wise. You might want to ponder that for a minute.

I for my part am glad that our current conservative government has finally gotten a clue (25 years after Chernobyl, none-the-less), also due to recent problems with our 'eternal' nuclear dump sites.

Nuclear, as of current state of technology, is a bad idea. There is no fucking way that *anybody* can take over responsibility for 50 000 years worth of deadly toxic waste. Anyone who thought that needs a clobbering.

Nuclear, as of current state of technology, is a bad idea. There is no fucking way that *anybody* can take over responsibility for 50 000 years worth of deadly toxic waste. Anyone who thought that needs a clobbering.

I am glad some of those older plants get closed, but even more glad that further research isn't going to stop, and that quite a few other countries still see a future for nuclear power. It'd be better if we had something safer and cleaner to meet our energy needs, but that's a long way off, a

Maybe, you need to compare the alternatives though. IF the German government have a realistic idea of how to compensate for the loss of 30% of their energy production, by all means go ahead. Otherwise, Germany will need to import and compensate for the loss by laying more cables to Sweden, Poland and France.

Sweden can only sell energy during the summer, and then 30 % will be from nuclear, France will sell energy but something like 80-90% will be from nuclear and Poland will happily deliver coal based power.

The idea was to replace it with renewables... however, the hippies thought that technology would develop faster than it did. So, when the plants would actually be shutdown, renewables where not up to the task.

The current government where pragmatic and cancelled the closure dates and also updated the law so new reactors could be installed under the condition that they replaced an old one that was decommissioned.

Well, being an Power Systems Controls Engineer at a major utility, I can tell you we already do analogs via a digital stream. The protocol of choice is DNP. It is a standard That also accepts the analog transducers used for the last 50 + years. I don't actually see why this is worthy of a story. The bigger story is how all of the utilities are going to adapt to the latest NERC-CIP regulations and adapt to "secure" versions of the various protocols. Things like secure DNP and a secure version of 61850.

The biggest problem with digital I&C is the “software common cause failure issue"

Imagine modern nuclear plant with multiple-channel redundancy in instrument and control systems, if one instrument fails, there are others. Same applies to whole cooling systems, if one cooling system fails, there are other completely independent systems that continue to work. Typically redundant systems use instruments from different manufacturers or instruments that are implemented with different technology.

This is not possible for digital systems because they are too costly to implement multiple times. What this means is that redundant digital control systems use same software. If one system fails because of software error, others may follow. This has already happened in German nuclear plant that had new digital system installed. Only the old analog system that was still operational saved the reactor.

This is why Finnish radiation and nuclear safety authority required changes in Areva's plans for the most modern nuclear reactor being build, Olkiluoto 3. They added analog safety requirements. Reactor must be able to shout down even when digital I&C has total failure. Relying for all digital systems compromises redundancy.

The "digital" portions of most instrumentation sit on top of the analogue loop. They were designed to give you the exact same thing you had + diagnostics and early fault prediction. Instruments which could not only give you 4-20mA but tell you that if you don't attend to them then within the week there's a good chance you'll get 3 or 25mA out of them and your control system spits out NaN.

Reliability wasn't getting in the way of the upgrade, $2bn was. There's not an industrial plant in the world that wouldn'

Yes, neutrinos are more common near nuke plants. At least that is what theory tells us. If you find a cheap way to PROVE this experimentally, you would become moderately famous among physicists. Getting extra glitches from memory would qualify...

And I suppose your opinion is based on something other than hear-say? Like maybe a little personal experience? Until then I suggest you avoid putting your foot in your mouth. I worked in the industry for 20 years and while I wouldn't paint them as choir boys, I know that the Corporate bean counters aren't the demons you portray them to be.

Really, I think a casual glance at today's news on the Cyber attack on Lockheed Martin shows that the bad guys are using Analog computers? Do you believe that a bad guy is going to walk up to the front gate of nuclear facility and lite their pants up? You're funny.

If you don't think there aren't fanboys who want to see older plants replaced by newer, more efficient, safer designs, please, come to Illinois. The lobby against this has been raging for a decade.

So, I don't know the Illinois case specifically, but most of the time when I hear about arguments against plant upgrades, the people doing the argument tend to be of the theory that if you don't upgrade the plant eventually it will get shut down.... very occasionally this is confused with a power company who wants to build a totally new plant instead of upgrade an old one, but . . . in general its not nuclear power 'fanboys' in the anti-upgrade lobby....

More like 22%, barely more than from renewables. And it is pretty manageable. We've got only four of 17 nuclear reactors running for a full week already, no blackouts at all. Too funny actually, because the nuclear lobby has prophecied the end of the world starting 21.05.2011. I guess they now have to wait until 2012, just as the rest of the world;-)

Too funny actually, because the nuclear lobby has prophecied the end of the world starting 21.05.2011.

Uh huh. Because the problems will all show up on the first day. I lived through the California "electricity crisis," [wikipedia.org] a failed privatization of California's electricity markets. The same sort of hubris was on display going into that. Their failures didn't start till a couple of years into the program, but were entirely predictable from a knowledge of the conditions going in. Obviously, phasing out your base load power (both nuclear and coal) without replacement is a different sort of issue than privatization

Now let's ignore that wind farms get built in the best locations first and assume they do even better over the next ten years with wind than they did in the last 10 years.lets say they build just as many extra wind farms.that still leaves them supplying only half the power they we